Learning to avoid breaking up the Google Workspace DKIM setup

Enabling DKIM on Google Workspace is a two-step process but most people stop after completing the first one only. If that’s what you have also done, then please know that in such scenarios, DKIM and DMARC will function normally, and there won’t be any impact on email delivery, failing to complete the second step will compromise your email security. However, DKIM will fail to authenticate emails using your custom domain, causing communication problems at multiple levels. 

This blog shares the right steps so that you don’t break the Google Workspace DKIM setup.

The first step of Google Workspace DKIM setup

Begin by producing a pair of public and private DKIM keys that are protected by cryptography. Next, use your DKIM record and configure the domain’s DNS to serve the record under google._domainkeys.example.com. Please be mindful of replacing example.com with your Google Workspace domain.

Most people stop their Google Workspace DKIM setup process here. This is a wrong approach since this step alone can’t enable Google to sign emails using your domain as the signing domain. You need to perform another step to do that. 

The second step of the Google Workspace DKIM setup

Generate a DKIM record using an online tool and then add it to your domain’s DNS. Wait for 24 to 48 hours for the changes to propagate across the internet. After that, visit Google Workspace to turn on DKIM by clicking the ‘Start Authentication’ button. 

Does DMARC work fine?

Many domain owners or administrators are unaware that Google is not signing emails with their domains, as DMARC still functions properly. Typically, a malfunction in DMARC is a sign of issues with DKIM and SPF settings, but this is not the case with Google Workspace.

Two reasons DMARC continues to work in this situation are:

1. SPF records often include the _spf.google.com domain, allowing emails to pass SPF authentication checks.
2. Gmail, by default, uses the sender’s address in the ‘Envelope-From’ header, ensuring that the ‘Envelope-From’ and ‘From’ domains match.

Due to these factors, SPF alignment is maintained even if DKIM isn’t aligned, and since DMARC only requires one of these protocols to pass, the checks succeed.

Fixing the issue the right way

Certain Google applications don’t use your domain in the ‘Envelope-From header’ of the emails sent from your domain. What they do instead is use your domain in the ‘From’ header and a Google domain is used in the ‘Envelope-From’ address. 

In such scenarios, SPF alignment fails. Emails sent from these applications fail DMARC checks unless DKIM is configured and turned on in Google Workspace. 

Think of Google Calendar invites as an example. Even if the emails show your domain in the ‘From’ address, the ‘Envelope-From’ points to calendar-server.bounces.google.com.

In this case, SPF alignment will always fail, so DMARC relies only on DKIM to pass. But if DKIM isn’t used, it will also fail, causing DMARC to fail, too. If you have a strict DMARC policy (like p=reject), these confirmation emails will be rejected.

What happens when you enable DKIM authentication on an existing domain?

If you are thorough and careful in performing the two steps mentioned above, there will be no issues. But just to be on the safer end, switch your DMARC policy from ‘reject’ to ‘quarantine.’ We suggest this so your emails don’t bounce back in case of false positives.